Plex warns all users to change their passwords following a data breach

midian182

Posts: 8,314   +103
Staff member
What just happened? If you're one of the 13 million or so people who actively use Plex every month, you should probably change your password as soon as possible. That's what the company is advising after it discovered suspicious activity in one of its databases and found a third party had accessed a subset of data that included emails, usernames, and encrypted passwords.

The streaming media service/media player sent an email out to users earlier today (August 24) informing them of the intrusion. Plex does emphasize that all passwords were hashed and secured in accordance with its best practices, but it still recommends users reset them out of an abundance of caution and sign out of all their devices. Plex says changing the password is a requirement, though some users say they aren't being forced into this action—at least not yet.

Plex also notes that no credit card information or other payment details were accessed as these are stored on a separate server, so they're safe. It adds that while the perpetrator has not yet been identified, the method used to access the database has been addressed and it is conducting additional reviews to ensure the security of its other systems is hardened to prevent similar compromises.

As noted by Troy Hunt, the creator of the Have I been Pwned website who was also impacted by the hack, the usual precautions are recommended to avoid the worst consequences of cybercrime: always enable two-factor authentication wherever possible and if you want to add some extra security, make sure to use password managers that store not only your credentials but also create random passwords. You might remember that the most common password of 2021 was "123456" and the rest of the top ten was just as embarrassing.

Plex also reminded customers that it will never ask for passwords or credit card information over email.

If you've never used Plex before and would like to give it a try, you can download the app for multiple devices right here.

Permalink to story.

 

OortCloud

Posts: 824   +820
How can they be storing passwords in a way that requires them to be changed?

It's been the most fundamental tenet of all security that passwords be one-way-encrypted for 15 years now. All they should have stored is a binary blob that is utterly meaningless unless you feed it the correct pwd/salt etc
 

Burty117

Posts: 4,600   +2,901
How can they be storing passwords in a way that requires them to be changed?

It's been the most fundamental tenet of all security that passwords be one-way-encrypted for 15 years now. All they should have stored is a binary blob that is utterly meaningless unless you feed it the correct pwd/salt etc
You should probably re-read their email. They were secured, they're asking users to change their passwords "out of an abundance of caution".
 

mbk34

Posts: 387   +287
I changed my password as instructed and now I've lost the library on my NAS and replaced it with a whole load of free movies I'll never watch - WTF?
EDIT - things have now returned almost to normal, I'm guessing it must of been a syncing issue between the plex server and the NAS. I'll do a rescan when everything has calmed down.
 
Last edited:

amghwk

Posts: 1,235   +1,184
Rob Thubron said:
If you've never used Plex before and would like to give it a try, you can download the app for multiple devices right here.

At this time - when its security is breached???
 

Neatfeatguy

Posts: 1,017   +1,855
At this time - when its security is breached???

Folks are still using Playstations...
Facebook...
LinkedIn....
Twitter....
Experian...
Ebay...
Captial One...

Those are just the ones I remember off the top of my head that have had data breaches in the past and I'm certain there are many, many more from many different companies (some have had multiple data breaches over the years).